Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Web Security Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory April 22 2010 Page 1 Problem The Internet World wide Web enabled anyone anywhere to talk What happens next Systems and Internet Infrastructure Security SIIS Laboratory Page 2 What the Web Means to Me Server Side Web Server is a portal to a wide variety of application content Web server design needs to be as general as possible Otherwise it would limit application developers But this means that the web server is like an OS for the web applications But is it Systems and Internet Infrastructure Security SIIS Laboratory Page 3 What the Web Means to Me Client Side Web Client is a portal to a wide variety of application content Web client design needs to be as general as possible Otherwise it would limit application developers But this means that the web client is like an OS for the web applications But is it Systems and Internet Infrastructure Security SIIS Laboratory Page 4 Web Server Systems They started out so simple Servers produced static content on demand Clients render the content no executable content Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Web Server Systems Then things got complicated Web servers compute dynamic contents And offload some of the computation to the client Systems and Internet Infrastructure Security SIIS Laboratory Page 6 Web Server Systems Server side Receives input From anyone in the world Submits it to a web application component Processing defined by others Which may or may not protect itself from malicious input But web applications may have valuable data your credit card numbers What then Systems and Internet Infrastructure Security SIIS Laboratory Page 7 Web Server Systems Client side Receives input From anyone in the world Some input is executable Often not clear what So need to find and isolate execution Except when executables need to interact Need a policy to describe this Same origin policy What then Systems and Internet Infrastructure Security SIIS Laboratory Page 8 Same Origin Policy Systems and Internet Infrastructure Security SIIS Laboratory Page 9 Some Web System Bugs Cross site scripting Server receives malicious input which it distributes to clients as if from itself Web application does not adequately sanitize Same origin policy does not prevent why not Systems and Internet Infrastructure Security SIIS Laboratory Page 10 Some Web System Bugs Cross site request forgery Malicious or compromised server sends malicious content to client That tries to trick the user to interact with a target Same origin policy does not prevent why not Systems and Internet Infrastructure Security SIIS Laboratory Page 11 Some Web System Bugs Clickjacking Malicious or compromised server sends malicious content to client That generates web requests to a target Same origin policy does not prevent why not Systems and Internet Infrastructure Security SIIS Laboratory Page 12 Reference Monitor with MPS OK so we can solve all problems with a reference monitor What is missing here But we need to enforce an MPS What is missing wrt that Other problems Hint Not exactly satisfying Biba integrity Systems and Internet Infrastructure Security SIIS Laboratory Page 13 Securing Your Web Server 2001 http windows stanford edu docs IISsecchecklist htm 2005 http www petefreitag com item 505 cfm 2010 http krebsonsecurity com 2010 01 firm to releasedatabase web server 0days Systems and Internet Infrastructure Security SIIS Laboratory Page 14 Saner Problem Web applications perform mission critical tasks are accessible to attackers and are built with ad hoc input validation What integrity principles does this violate Solution More principled input validation Lessons Overall approach and techniques Systems and Internet Infrastructure Security SIIS Laboratory Page 15 A Saner Approach Model the way that the application processes input values Check that model statically to identify likely errors in sanitization Use a runtime technique to verify legitimate errors in sanitization Systems and Internet Infrastructure Security SIIS Laboratory Page 16 Approaches Static taint checking Approach Identify tainted sources and see whether they flow to sinks that require them to be untainted Identify tainted sinks Label a program variable or expression e g with a type Identify untainted sinks Label a program variable expression or function arg e g with a type incompatible with tainted data Type checking detects incompatibility Systems and Internet Infrastructure Security SIIS Laboratory Page 17 Problems Static taint checking problems Sinks have different requirements for sanitization Just changing from tainted to untainted is not expressive enough E g Protecting data structure integrity does not prevent SQL injection Identifying operations that do sanitization in code Some are well known But some are custom Check sinks to identify whether malicious inputs reach Systems and Internet Infrastructure Security SIIS Laboratory Page 18 Their Approach Static Use automata to represent an arbitrary set of strings Represent value and which parts are tainted Find dependence among variables Systems and Internet Infrastructure Security SIIS Laboratory Page 19 Their Approach Static Postorder traversal of the dependence tree Combine string automata based on descendants Known function behaviors are modeled as precisely as possible to generate new automata Unknown function behaviors generate any string of either type tainted or untainted Former if any input is tainted Tricky to deal with cycles Systems and Internet Infrastructure Security SIIS Laboratory Page Their Approach Dynamic Static analysis may generate false positives Is conservative so some executions may be assumed that are not really possible Use runtime analysis to validate statically found positives Which part to run In what initial state Generate runtime inputs and see if they cause problems How to generate the runtime inputs Systems and Internet Infrastructure Security SIIS Laboratory Page Their Approach Dynamic Build the sanitization graph Interprocedural data flow graph Build summary functions of each procedure s data